Abstract
Broadcast encryption (BE) is an effective method to broadcast encrypted confidential content, although it does not support the transmission of personalized messages to individuals. Broadcast encryption with personalized messages (BEPM) simultaneously transmits not only the common encrypted message to a group of users but also encrypted personalized messages to individual users. Currently available BEPM schemes fail to provide the recipient’s anonymity that means the information of the subscriber set is available to the enemies. This paper first introduces a new BEPM paradigm, called identity-based outsider anonymous broadcast encryption with personalized messages (IB-OAnoBEPM), by tweaking the identity-based framework over the most advanced and secure asymmetric Type-3 variant of the bilinear maps. In addition to being adaptively secure, our construction withstands indistinguishable chosen-plaintext attack under the standard asymmetric decisional bilinear Diffie-Hellman exponent assumption without using the random oracle model. More positively, the proposed scheme is the first BEPM system that achieves security without any non-standard q-type assumptions. In particular, our design is very efficient both in terms of communication and computation costs, as the ciphertext size is constant, and the decryption algorithm requires only three asymmetric bilinear pairings to recover the correct message and the personalized messages, which are highly desirable for light-weight devices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acharya, K., Dutta, R.: Provable secure constructions for broadcast encryption with personalized messages. In: Okamoto, T., Yu, Y., Au, M.H., Li, Y. (eds.) ProvSec 2017. LNCS, vol. 10592, pp. 329–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68637-0_20
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Boneh, D., Katz, J.: Improved efficiency for CCA-Secure cryptosystems built using identity-based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_8
Boneh, D., Waters, B.: A fully collusion resistant broadcast, trace, and revoke system. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 211–220 (2006)
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13
Chatterjee, S., Hankerson, D., Menezes, A.: On the efficiency and security of pairing-based protocols in the type 1 and type 4 settings. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 114–134. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13797-6_9
Chen, L., Li, J., Zhang, Y.: Anonymous certificate-based broadcast encryption with personalized messages. IEEE Trans. Broadcast. (2020)
Delerablée, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 200–215. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_12
Fazio, N., Perera, I.M.: Outsider-anonymous broadcast encryption with sublinear ciphertexts. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 225–242. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_14
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_40
Fujii, A., et al.: Secure broadcast system with simultaneous individual messaging. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 94(6), 1328–1337 (2011)
Han, J.H., Park, J.H., Lee, D.H.: Transmission-efficient broadcast encryption scheme with personalized messages. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 96(4), 796–806 (2013)
He, K., Weng, J., Liu, J.-N., Liu, J.K., Liu, W., Deng, R.H.: Anonymous identity-based broadcast encryption with chosen-ciphertext security. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 247–255 (2016)
Kiayias, A., Samari, K.: Lower bounds for private broadcast encryption. In: Kirchner, M., Ghosal, D. (eds.) IH 2012. LNCS, vol. 7692, pp. 176–190. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36373-3_12
Lai, J., Mu, Y., Guo, F., Susilo, W., Chen, R.: Anonymous identity-based broadcast encryption with revocation for file sharing. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9723, pp. 223–239. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40367-0_14
Li, X., Yanli, R.: Efficient anonymous identity-based broadcast encryption without random oracles. Int. J. Digit. Crime Forensics 6(2), 40–51 (2014)
Libert, B., Paterson, K.G., Quaglia, E.A.: Anonymous broadcast encryption: adaptive security and efficient constructions in the standard model. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 206–224. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_13
Lynn, B.: On the implementation of pairing-based cryptosystems. Stanford University (2007)
Ohtake, G., Hanaoka, G., Ogawa, K.: Efficient broadcast encryption with personalized messages. In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 214–228. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16280-0_15
Ren, Y., Niu, Z., Zhang, X.: Fully anonymous identity-based broadcast encryption without random oracles. IJ Network Secur. 16(4), 256–264 (2014)
Uzunkol, O., Kiraz, M.S.: Still wrong use of pairings in cryptography. Appl. Math. Comput. 333, 467–479 (2018)
Ke, X., Liao, Y., Qiao, L., Liu, Z., Yang, X.: An identity-based (IDB) broadcast encryption scheme with personalized messages (BEPM). PLoS ONE 10(12), e0143975 (2015)
Zhang, M., Takagi, T.: Efficient constructions of anonymous multireceiver encryption protocol and their deployment in group e-mail systems with privacy preservation. IEEE Syst. J. 7(3), 410–419 (2013)
Acknowledgements
This research was partially supported by the Ministry of Internal Affairs and Communications SCOPE (Grant Number 182103105) and by JST CREST (Grant Number JPMJCR14D6), Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Proof of Theorem 1
Proof
Assume that there exists a \({\textsf {PPT}}\) adversary \(\mathcal {A}\) in the ciphertext indistinguishability with receiver anonymity game that makes at most polynomial number of user secret-key queries, say \(q=\textsf {poly}(\eta )\), against our \(\varPi _{\textsf {IB-OAnoBEPM}}\) scheme. We can construct a simulator \(\mathcal {B}\) that breaks the asymmetric \(\textsf {DBDHE}\) assumption (cf. Definition 2) using \(\mathcal {A}\) as a subroutine. Here \(\mathcal {B}\) works as the \(\varPi _{\textsf {IB-OAnoBEPM}}\) challenger in the adaptive \(\textsf {IND-CPA}\) secure ciphertext indistinguishability with receiver anonymity game. At the beginning of the game, \(\mathcal {B}\) obtains the \(\textsf {DBDHE}\) challenge instance \(\big <Z\) \(=\) \((\mathbb {BG},\) \(\widetilde{P},\) \(\widetilde{P}^{\alpha },\) \(\ldots ,\) \(\widetilde{P}^{{\alpha }^{m}},\) \(\widetilde{P}^{{\alpha }^{m+2}},\) \(\ldots ,\) \(\widetilde{P}^{{\alpha }^{2m}},\) P, \(P^{\alpha },\) \(\ldots ,\) \(P^{{\alpha }^{m}},\) \(P^{c}),\) \(K\big>\) to decide whether K is \(e(P,\widetilde{P})^{\alpha ^{m+1}\cdot c}\) or a random element X from the target group \(\mathbb {G}_{T}^{\times }\), where \(\alpha , c \in _R \mathbb {Z}^{*}_p\), \(\mathbb {BG}=(p,\mathbb {G}^{\times },\widetilde{\mathbb {G}}^{\times },\mathbb {G}_{T}^{\times },e\)) and P, \(\widetilde{P}\) random generators of \(\mathbb {G}^{\times }\) and \(\widetilde{\mathbb {G}}^{\times }\) respectively. The simulator \(\mathcal {B}\) proceeds as follows.
-
Setup: Initially, \(\mathcal {B}\) sets an integer \(m=4q\) and randomly chooses another integers \(k_{j}\in \{0,1,\ldots ,N\}\) and \(x_{j}\in \{0,1,\ldots ,m-1\}\), where \(1\le j \le N\). It also randomly selects \(y^{'},a \in \mathbb {Z}_{p}^{*}\). Thereafter, for a user \(j\in [N]\) with \(ID_{j}\in \mathbb {Z}_{p}^{*}\), \(\mathcal {B}\) defines the following functions.
$$\begin{aligned} \mathcal {F}(ID_{j})= & {} (p-mk_{j})+x^{'}+x_{j}+ID_{j},~~~ \mathcal {J}(ID_{j}) = y^{'}+ID_{j}~ \text {and}\\ \mathcal {Q}(ID_{j})= & {} \left. {\left\{ \begin{array}{ll} 0,~~\text {if}~~x_{j}+ID_{j} \equiv 0~(\bmod {~m})\\ 1,~~\text {otherwise} \end{array}\right. } \right\} \end{aligned}$$To publish the master public-key \(\textsf {OAnoMPK}\), \(\mathcal {B}\) chooses a collusion-resistant cryptographic hash function \(H:\{0,1\}^{l}\rightarrow \mathbb {Z}_{p}^{*}\). It computes the group elements \(\widetilde{P}_{1}=\widetilde{P}^{\alpha }\), \(\widetilde{P}_{2}=\widetilde{P}^{\alpha ^{N}+a}\), \(P_{2}=P^{\alpha ^{N}+a}\), \(\big \{\widetilde{Y}_{i}=\widetilde{P}^{\alpha ^{i}}\big \}_{i=1,i\ne N+1}^{2N}\), \(\big \{Y_{i}=P^{\alpha ^{i}}\big \}_{i=1}^{N}\) utilizing the \(\textsf {DBDHE}\) challenge instance \(\big <Z,K\big>\).
   Finally, it sets the components \(U_{j}=P\cdot Y_{N-j+1},\) \(\widetilde{U}_{j}=\widetilde{P}\cdot \widetilde{Y}_{N-j+1},\) \(\widetilde{f}_{j}=\widetilde{P}^{y^{'}}\cdot \widetilde{Y}^{p-mk_{j}+x_{j}}_{N-j+1},\) \({f}_{j}={P}^{y^{'}}\cdot \widetilde{Y}^{p-mk_{j}+x_{j}}_{N-j+1},\) \(\varOmega =e(P_{2},\widetilde{P}_{1})\) and publishes the simulated master public-key \({\textsf {OAnoMPK}}\) \(=\) (P, \(\widetilde{P},\) \(\widetilde{P}_{1},\) \(\widetilde{P}_{2},\) \(P_{2},\) \(\{f_{j}\}_{j=1}^{N},\) \(\{U_{j}\}_{j=1}^{N},\) \(\varOmega ,\) H). It also sets the simulated master secret-key as \({\textsf {OAnoMSK}}\) \(=\) (\({\widetilde{P}_{2}}^{\alpha },\) \(\{\widetilde{f}_{j}\}_{j=1}^{N},\) \(\{\widetilde{U}_{j}\}_{j=1}^{N}\)) and keeps secret to itself.
-
Phase 1: Now, \(\mathcal {A}\) adaptively issues polynomially many, say \(q=\textsf {poly}(\eta )\), users secret-key queries. The adversary \(\mathcal {A}\) sends an identity \(id_{u} \in \{0,1\}^{l}\) of user \(u\in [N]\) to \(\mathcal {B}\). To return a valid secret-key, \(\mathcal {B}\) computes \(ID_{i}=H(id_{i})\in \mathbb {Z}^{*}_{p}\) for \(1\le i \le N\), and does the following.
-
If \(\mathcal {Q}(ID_{u})=0\), \(\mathcal {B}\) aborts the game and randomly chooses a random bit from \(\{0,1\}\) to solve the asymmetric \(\textsf {DBDHE}\) problem.
-
Otherwise, \(\mathcal {B}\) randomly chooses an exponent \(r\in \mathbb {Z}_{p}^{*}\) and sets \(d_{u,0}={\widetilde{P}}^{r}\cdot \widetilde{Y}_{u}^{-\frac{1}{\mathcal {F}(ID_{u})}}\), \(d_{u,u}={\widetilde{P}_{1}}^{a}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}}(\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\), \(d_{u,N}=(\widetilde{P}_{2})^{ID_{u}}\) and \(d_{u,j}=(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{j})}{\mathcal {F}(ID_{u})}}\cdot \widetilde{Y}_{N-j+1+u}^{-\frac{\mathcal {F}(ID_{j})}{\mathcal {F}(ID_{u})}},~\text {for}~1\le j\ne u \le N\).
-
Finally, \(\mathcal {B}\) returns the secret-key \({\textsf {OAnoSK}_{u}}\) \(=\) (\(d_{u,0},d_{u,u},d_{u,N+1},\{d_{u,j}:1\le j\ne u \le N\}\)) to the adversary \(\mathcal {A}\).
Observe that the components of \({\textsf {OAnoSK}_{u}}\) are valid secret-key components as that of in the original protocol. Assume that \(\widehat{r}=r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}\), then
$$\begin{aligned} d_{u,0}=&{\widetilde{P}}^{r}\cdot \widetilde{Y}_{u}^{-\frac{1}{\mathcal {F}(ID_{u})}}= \widetilde{P}^{r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}=(\widetilde{P})^{\widehat{r}},~d_{u,N}=(\widetilde{P}_{2})^{ID_{u}}\\ d_{u,u}=&{\widetilde{P}_{1}}^{a}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}}(\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}= \widetilde{P}^{a\alpha -\frac{\alpha ^{u}\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}} \cdot \widetilde{P}^{\alpha ^{N+1}-\alpha ^{N+1}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}^{a\alpha }\cdot \widetilde{P}^{\alpha ^{N+1}} \cdot \widetilde{P}^{-\frac{\alpha ^{u}\mathcal {J}(ID_{u})}{\mathcal {F}(ID_{u})}-\alpha ^{N+1}\frac{\mathcal {F}(ID_{u})}{\mathcal {F}(ID_{u})}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}^{(a\alpha +\alpha ^{N+1})}\big (\widetilde{P}^{\alpha ^{N-u+1}\mathcal {F}(ID_{u})} \cdot \widetilde{P}^{\mathcal {J}(ID_{u})}\big )^{-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}_{2}^{\alpha }\big (\widetilde{P}^{\alpha ^{N-u+1}(p-mk_{u}+x_{u}+ID_{u})+y^{'} +ID_{u}}\big )^{-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}} \cdot (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}})^{r}\\ =&\widetilde{P}_{2}^{\alpha }\big (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}}\big )^{r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}=\widetilde{P}_{2}^{\alpha }\big (\widetilde{f}_{u}\cdot \widetilde{U}_{u}^{ID_{u}}\big )^{\widehat{r}}\\ d_{u,j}=&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r}\cdot \widetilde{Y}_{u}^{-\frac{\mathcal {J}(ID_{j})}{\mathcal {F}(ID_{u})}}\cdot \widetilde{Y}_{N-j+1+u}^{-\frac{\mathcal {F}(ID_{j})}{\mathcal {F}(ID_{u})}}\\ =&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r} \cdot \widetilde{P}^{-\frac{\alpha ^{u}\mathcal {J}(ID_{j})}{\mathcal {F}(ID_{u})}-\frac{\alpha ^{(N-j+1+u)} \mathcal {F}(ID_{j})}{\mathcal {F}(ID_{u})}}\\ =&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r}\cdot \big (\widetilde{P}^{y^{'}+\alpha ^{N-j+1}(p-mk_{j}+x_{j})+ID_{j}+ID_{j}\alpha ^{N-j+1}}\big )^{-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}\\ =&(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{r-\frac{\alpha ^{u}}{\mathcal {F}(ID_{u})}}=(\widetilde{f}_{j}\cdot \widetilde{U}_{j}^{ID_{j}})^{\widehat{r}} \end{aligned}$$The simulator \(\mathcal {B}\) can perform the above computations if and only if \(\mathcal {F}(ID_{u})\ne 0 (\bmod {~p})\). More precisely, only \(\mathcal {Q}(ID_{u})\ne 0\) is sufficient to continue the above computations, since \(\mathcal {Q}(ID_{u})\ne 0\) implies \(\mathcal {F}(ID_{u})\ne 0 (\bmod {~p})\).
-
-
Challenge: Now, \(\mathcal {A}\) submits two equal length messages \(M_{0},M_{1}\) and two receiver’s sets \(\mathcal {S}_{0}\), \(\mathcal {S}_{1}\) each contains \(L=\textsf {poly}(\eta )\) users’ identity subject to the restriction that for all \(id_{u}\) of secret key queries in Phase 1, \(ID_{u}=H(id_{u})\in \mathcal {S}_{0}\cap \mathcal {S}_{1}\). Assume that the challenge set is of the form \(\mathcal {S}_{\varkappa }=\big \{ID_{\varkappa ,i}\big \}_{i=1}^{L}\) for \(\varkappa \in \{0,1\}\). Now, \(\mathcal {B}\) aborts the game and chooses a random bit from \(\{0,1\}\) if \(\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} \alpha ^{N-j+1}(p-mk_{j}+x_{j}+ID_{\varkappa ,j}) \ne 0 (\bmod {~p})\) holds. Finally, \(\mathcal {B}\) chooses \(\zeta ,\varkappa \in _{R}\{0,1\}\) and computes the cophertext components for the set \(\mathcal {S}_{\varkappa }=\big \{ID_{\varkappa ,i}\big \}_{i=1}^{L}\) as follows.
$$\begin{aligned} C_{\varkappa ,\zeta ,0}=P^{c},~C_{\varkappa ,\zeta ,1}=P^{c(\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }}y^{'}+ID_{\varkappa ,j})},~C_{\varkappa ,\zeta ,2}=M_{\zeta }e(P^{c},\widetilde{P}_{1}^{a})K \end{aligned}$$It sets the personalized keys as \(K_{u}^{(\varkappa ,\zeta )}\) \(=\) \(e(P^{c},{\widetilde{P}}_{2}^{ID_{u}})\cdot e(P^{c},\widetilde{P}_{1}^{a})K \) for each user identity \(ID_{u} \in \mathcal {S}_{\varkappa }\). Here, K is extracted from the DBDHE challenge instance. Finally, \(\mathcal {B}\) passes \(\mathcal {A}\) the challenge ciphertext \(\textsf {CT}\) \(=\) \(\big (C_{\varkappa ,\zeta ,0},\) \(C_{\varkappa ,\zeta ,1},\) \(C_{\varkappa ,\zeta ,2}\big )\) corresponding to the message \(M_{\zeta }\) and \(\mathcal {S}_{\varkappa }\).
   Note that \(\textsf {CT}\) is a valid ciphertext corresponding to the challenge message \(M_{\zeta }\) and the challenge set \(\mathcal {S}_{\varkappa }\). Assume that \(s=c\), \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\), then
$$\begin{aligned} C_{\varkappa ,\zeta ,0}=&P^{c}=P^{s}\\ C_{\varkappa ,\zeta ,1}=&P^{c\big (\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }}\mathcal {J}(ID_{\varkappa ,j})\big )} =P^{c\big (\sum _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }}y^{'}+ID_{\varkappa ,j}\big )}\\ =&\bigg [\prod \limits _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} P^{\alpha ^{N-j+1}(p-mk_{j}+x_{j})}\cdot P^{y^{'}} \cdot P^{\alpha ^{N-j+1}ID_{\varkappa ,j}} \cdot P^{ID_{\varkappa ,j}}\bigg ]^{c}\\ =&\big (\prod \limits _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} f_{j}\cdot U_{j}^{ID_{\varkappa ,j}}\big )^{c}=\big (\prod \limits _{ID_{\varkappa ,j}\in \mathcal {S}_{\varkappa }} f_{j}\cdot U_{j}^{ID_{\varkappa ,j}}\big )^{s}\\ C_{\varkappa ,\zeta ,2}=&M_{\zeta }\cdot K\cdot e(P^{c},\widetilde{P}_{1}^{a})=M_{\zeta } e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}} e(P^{c},\widetilde{P}_{1}^{a})=M_{\zeta } e(P,\widetilde{P})^{(\alpha ^{N}+a)c\alpha } \end{aligned}$$Since \((\alpha ^{N}+a)c\alpha \) and s are uniformly distributed over \(\mathbb {Z}_{p}^{*}\), \(\textsf {CT}\) is valid and uniformly distributed over the ciphertext space. Similarly, we can show that the personalized keys \(K_{u}^{(\varkappa ,\zeta )}\) are also the valid by the following computations.
$$\begin{aligned} K_{u}^{(\varkappa ,\zeta )}=&e(P^{c},{\widetilde{P}}_{2}^{ID_{u}})\cdot e(P^{c},\widetilde{P}_{1}^{a})K\\ =&e(P^{\alpha ^{N}+a},{\widetilde{P}}^{ID_{u}})^{c} \cdot e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}} e(P^{c},\widetilde{P}_{1}^{a})\\ =&e(P_{2},{\widetilde{P}}^{ID_{u}})^{c} \cdot e(P,\widetilde{P})^{(\alpha ^{N}+a)c\alpha } \end{aligned}$$ -
Phase 2: The adversary \(\mathcal {A}\) can adaptively issue additional user’s secret-key generation queries as in Phase 1 with a restriction that queried identities lie in \(\mathcal {S}_{0} \cap \mathcal {S}_{1}\).
-
Guess: Finally, \(\mathcal {A}\) returns a guess \((\zeta ^{'},\varkappa ^{'})\in \{0,1\}\times \{0,1\}\) of \((\zeta ,\varkappa )\) to \(\mathcal {B}\).
Probability analysis
If \((\zeta ^{'},\varkappa ^{'})=(\zeta ,\varkappa )\), \(\mathcal {B}\) outputs 0, indicating that \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\); otherwise, it outputs 1, indicating that K is a random element of \(\mathbb {G}_{T}^{\times }\). The simulation of \(\mathcal {B}\) is perfect when \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\). Therefore, we have
where \({\textsf {Adv}}^{{\textsf {IND-CPA}}}_{{\mathcal {A}},\textsf {IB-OAnoBEPM}}(\eta )\) is the advantage of \(\mathcal {A}\) in the above game. However, the message is completely hidden from \(\mathcal {A}\) when \(K=X\), a random element from \(\mathbb {G}_{T}^{\times }\). Therefore, we have the probability
Hence, the advantage of \(\mathcal {B}\) in breaking the \(\textsf {DBDHE}\) challenge is
Therefore, if \(\mathcal {A}\) has non-negligible advantage in correctly guessing \((\zeta ^{'},\varkappa ^{'})\), then \(\mathcal {B}\) predicts \(K=e(P,\widetilde{P})^{c\cdot \alpha ^{N+1}}\) or random element of \(\mathbb {G}_{T}^{\times }\) (i.e., breaks the \(\textsf {DBDHE}\) challenge) with non-negligible advantage.
Hence, the proof.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mandal, M., Nuida, K. (2020). Identity-Based Outsider Anonymous Broadcast Encryption with Simultaneous Individual Messaging. In: Kutyłowski, M., Zhang, J., Chen, C. (eds) Network and System Security. NSS 2020. Lecture Notes in Computer Science(), vol 12570. Springer, Cham. https://doi.org/10.1007/978-3-030-65745-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-65745-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65744-4
Online ISBN: 978-3-030-65745-1
eBook Packages: Computer ScienceComputer Science (R0)